Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

Mashiki Amiketo wrote on Oct 17, 2012, 18:49:Worst case? Remote code execution with them being able to transverse directories.

That is NOT worst case. The exploits show hackers could execute anything on your PC with this exploit. That source engine exploit will run anything specified in the batch file at startup. So, delete all your files, steal your account credentials, etc. Once you can remotely execute code as you can here, the sky is really the limit.

Just don't click on any random steam url's and you'll be fine.

No, that won't do it because if the Steam url's are scripted, you don't have to click on a thing. And, if your browser doesn't prompt on the URL's as Safari doesn't at all and others won't if set that way, you won't even know if your browser executed these URL's.